Configuring Communication with an Auto Update Server
To configure the ASA as an Auto Update client, perform the following steps:
Step 1 To specify the URL of the Auto Update Server, enter the following command:
hostname(config)# auto-update server url [source interface] [verify-certificate]
where url has the following syntax:
http[s]://[user:password@]server_ip[:port]/pathname
SSL is used when https is specified. The user and password arguments of the URL are used for basic authentication when logging in to the server. If you use the write terminal, show configuration or show tech-support commands to view the configuration, the user and password are replaced with ‘********’.
The default port is 80 for HTTP and 443 for HTTPS.
The source interface keyword and argument specify which interface to use when sending requests to the Auto Update Server. If you specify the same interface specified by the management-access command, the Auto Update requests travel over the same IPsec VPN tunnel used for management access.
The verify-certificate keyword verifies the certificate returned by the Auto Update Server.
Step 2 (Optional) To identify the device ID to send when communicating with the Auto Update Server, enter the following command:
hostname(config)# auto-update device-id {hardware-serial | hostname | ipaddress [if-name] | mac-address [if-name] | string text}
The identifier used is determined by specifying one of the following parameters:
- The hardware-serial argument specifies the ASA serial number.
- The hostname argument specifies the ASA hostname.
- The ipaddress keyword specifies the IP address of the specified interface. If the interface name is not specified, it uses the IP address of the interface used to communicate with the Auto Update Server.
- The mac-address keyword specifies the MAC address of the specified interface. If the interface name is not specified, it uses the MAC address of the interface used to communicate with the Auto Update Server.
- The string keyword specifies the specified text identifier, which cannot include white space or the characters ‘, “,, >, & and ?.
Step 3 (Optional) To specify how often to poll the Auto Update Server for configuration or image updates, enter the following command:
hostname(config)# auto-update poll-period poll-period [retry-count [retry-period]]
The poll-period argument specifies how often (in minutes) to check for an update. The default is 720 minutes (12 hours).
The retry-count argument specifies how many times to try reconnecting to the server if the first attempt fails. The default is zero.
The retry-period argument specifies how long to wait (in minutes) between retries. The default is five minutes.
Step 4 (Optional) To schedule a specific time for the ASA to poll the Auto Update Server, enter the following command:
hostname(config)# auto-update poll-at days-of-the-week time [randomize minutes] [retry_count [retry_period]]
The days-of-the-week argument is any single day or combination of days: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday. Other possible values are daily (Monday through Sunday), weekdays (Monday through Friday), and weekends (Saturday and Sunday).
The time argument specifies the time in the format HH:MM at which to start the poll. For example, 8:00 is 8:00 a.m. and 20:00 is 8:00 p.m.
The randomize minutes keyword and argument specify the period to randomize the poll time following the specified start time. The range is from 1 to 1439 minutes.
The retry_count argument specifies how many times to try reconnecting to the Auto Update Server if the first attempt fails. The default is zero.
The retry_period argument specifies how long to wait between connection attempts. The default is five minutes. The range is from 1 to 35791 minutes.
Step 5 (Optional) If the Auto Update Server has not been contacted for a certain period of time, entering the following command causes it to stop passing traffic:
hostname(config)# auto-update timeout period
The period argument specifies the timeout period in minutes between 1 and 35791. The default is to never time out (zero minutes). To restore the default, enter the no form of this command.
Use the auto-update timeout command to be sure that the ASA has the most recent image and configuration. This condition is reported with system log message 201008.
In the following example, an ASA is configured to poll an Auto Update Server with the IP address 209.165.200.224, at port number 1742, from the outside interface, with certificate verification.
The ASA is also configured to use the hostname as the device ID and to poll an Auto Update Server every Friday and Saturday night at a random time between 10:00 p.m. and 11:00 p.m. On a failed polling attempt, the ASA will try to reconnect to the Auto Update Server ten times, and will wait three minutes between attempts at reconnecting, as shown in the following example:
hostname(config)# auto-update server https://jcrichton:farscape@209.165.200.224:1742/management source outside verify-certificate
hostname (config)# auto-update device-id hostname
hostname (config)# auto-update poll-at Friday Saturday 22:00 randomize 60 2 10
Configuring Client Updates as an Auto Update Server
Entering the client-update command enables updates for ASAs configured as Auto Update clients and lets you specify the type of software component (ASDM or boot image), the type or family of ASA, revision numbers to which the update applies, and a URL or IP address from which to obtain the update.
To configure the ASA as an Auto Update Server, perform the following steps:
Step 1 To enable client update, enter the following command:
hostname(config)# client-update enable
Step 2 Configure the following parameters for the client-update command that you want to apply to the ASAs:
client-update { component { asdm | image } | device-id dev_string |
family family_name | type type } url url-string rev-nums rev-nums }
The component { asdm | image } parameter specifies the software component, either ASDM or the boot image of the ASA.
The device-id dev_string parameter specifies a unique string that the Auto Update client uses to identify itself. The maximum length is 63 characters.
The family family_name parameter specifies the family name that the Auto Update client uses to identify itself. It can be asa, pix, or a text string with a maximum length of seven characters.
The rev-nums rev-nums parameter specifies the software or firmware images for this client. Enter up to four, in any order, separated by commas.
The type type parameter specifies the type of clients to notify of a client update. Because this command is also used to update Windows clients, the list of clients includes several Windows operating systems. The ASAs in the list may include the following:
- asa5505: Cisco 5505 ASA
- asa5510: Cisco 5510 ASA
- asa5520: Cisco 5520 ASA
- asa5540: Cisco 5540 ASA
The url url-string parameter specifies the URL for the software/firmware image. This URL must point to a file appropriate for this client. For all Auto Update clients, you must use the protocol “http://” or “https://” as the prefix for the URL.
Configure the parameters for the client update that you want to apply to all ASAs of a particular type. That is, specify the type of ASA and the URL or IP address from which to get the updated image. In addition, you must specify a revision number. If the revision number of the remote ASA matches one of the specified revision numbers, there is no need to update the client, and the update is ignored.
To configure a client update for Cisco 5520 ASAs, enter the following command:
hostname(config)# client-update type asa5520 component asdm url http://192.168.1.114/aus/asdm601.bin rev-nums 8.0(1)